It's been a while since I played with rfid technology but recently some news
around LF cards has made me interested again. The proxmark3 is the best
device for going deep with rfid technology so I considered buying one.
Reading various sources about the availability of proxmark3 hardware taught
me the latest and greatest version (currently Proxmark3 RDV4) has not a lot
of advantages over the previous version (RDV3) which is available at
seriously lower prices from several webshops. So I ordered one using
aliexpress and the wait started.
Today the proxmark3 came in. I built the software for Linux using the
guide at proxmark3 Linux Installation Instructions
where I noticed I had to add packages libbz2-dev and
gcc-arm-none-eabi by hand to get things to compile/build correctly.
After doing the firmware upgrade dance I started testing and looking around.
The proxmark3 detects 125 kHz (LF) and 13.56 MHz (HF) cards fine. With the
order came a blank card which is both a 13.56 MHz Mifare 1K with changeable UID
and a 125 kHz T5577. There were also two small keyring tags, a mifare 1K and a
mifare 4K.
First attempts
The proxmark3 shows information for all the cards I tried. To my surprise the
skipass from our last ski trip to Austria was an HF only card, I thought ski
passes used 125 kHz technology so they could be read through jackets or other
layers more easily. It's an ISO 15693 tag and I can access all data easily.
[usb] pm3 --> hf search
🕗 Searching for ISO15693 tag...
[+] UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] Valid ISO 15693 tag found
[usb] pm3 --> hf 15 info
[+] UID: E0 16 24 66 09 99 B3 70
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] Using UID... E0 16 24 66 09 99 B3 70
[=] --- Tag Information ---------------------------
[=] -------------------------------------------------------------
[+] TYPE: EM-Marin SA (Skidata); EM4233 [IC id = 09] 23,5pF CustomerID-102
[+] UID: E0 16 24 66 09 99 B3 70
[+] SYSINFO: 00 0F 70 B3 99 09 66 24 16 E0 02 00 33 03 02
[+] - DSFID supported [0x02]
[+] - AFI supported [0x00]
[+] - IC reference supported [0x02]
[+] - Tag provides info on memory layout (vendor dependent)
[+] 4 (or 3) bytes/blocks x 52 blocks
As all the tag readers in that ski area are on-line anyway, I guess the card
is just a big serial number and all the checking whether the user isn't trying
to do something that wasn't paid for is done in central computers.
First error
While trying to clone an LF card into the T5577 I managed to make the T5577
card end up in a weird state: it now only returns 0x0000 or 0xFFFF patterns
on read depending on the communication configuration.
I have been given a Genexis Platinum-4410 router with the reasoning that I
like to play with embedded systems and test the security. Well, that is what
I did.
How far did I get
I have serial console, I have extracted filesystem images, and I can't
get a shell on the router.
The device
It's a router with 4+1 ethernet ports, wifi, two ports for analog telephones
and a USB interface.
Looking at it from the network
In this specific instance the 4 ethernet ports which are logically the
'inside' don't give me a link after the router has booted up. The 1 port which
would be the 'outside' or 'WAN' port gives a link and acts as a DHCP client.
The next step was to connect to the wifi network and play with the web
interface. This like a custom web interface. Default credentials which
match what is on the sticker on the underside of the router.
The router doesn't have a telnet server listening for 'easy' access.
Opening the case
Next step was to open the case and investigate the mainboard. Chips seen on the
mainboard: Mindspeed J83100G System on a Chip (SoC), MXIC MX29GL256FHT2I-90Q
flash memory, 2* Etrontech EM68B16CWQD-25H 512 mbit DRAM, Si32260-FM1 dual
channel FXS (voip) chip and other electronics.
The mainboard has lots of test points, but no clear UART interface. There is
an edge connector which looks like a PCI Express connector but it isn't.
I asked help about this: What is this connector, does it include UART on a Genexis Platinum-4410 ? : hardwarehacking
because r/hardwarehacking on reddit has helped me before.
This edge connector turned out the 'place to be' and with the standard tricks
for finding the UART I soon had an idea. But nothing to stick a dupont wire on
and no PCI express or cardedge breakout cable/board available. So I had to
solder wires to the right lanes on the connector. I had permission to damage
the router, so that was ok. Soldering within half a millimeter was really hard!
This was the first time I actually used my soldering iron for hardware hacking.
And a magnifying glass to actually see what I was soldering.
I wanted to grab the root filesystem image from the flash memory of the
Cab.Link CLS-D4E2WX1 cable modem/router.
The way to do this was the same as with Grabbing the firmware from the Corinex CXWC-HD200-WNeH and extracting the root filesystem
although I decided to just dump the root filesystem image and not the
entire flash memory.
So the box was opened again, the usb serial interface connected to the
uart pins on Cab.Link CLS-D4E2WX1
I found earlier and the boot stopped in the U-Boot process.
First step was to determine where in the memory map the root filesystem
image would be. This took a bit of calculation. From the bootup messages
there are two important hints:
So the kernel image is booted from address 0x9f670000 and it's in the
MTD partition at 0x000000670000. This makes the guess that the rootfs
image from 0x000000050000 will live at memory location
0x9f050000 and has a size of 0x620000 so the approach is to
dump 0x620000 bytes starting at that memory location. The command to do that
in U-Boot:
My enthusiast stories about getting uart access on the previous cable router
devices are causing more hardware to come my way to play with.
This time two Corinex HD200 CableLAN Wall Mount Adapter CXC-HD200-WMEe units
showed up. They are compact interfaces for ethernet-over-cable according to
Corinex standards. The size and the status leds remind me a lot of
devolo powerline units
which I used years ago to get network in our garden shed.
After voiding the warranty by breaking the sticker and unscrewing the two
screws the case doesn't want to open yet. Some force is needed, plastic tabs in
the corners kept it closed. I notice there is one very compact board with
everything including the power supply. There is a clear demarcation on the
board between the power supply area and the rest with slits in the board on
parts of this line. Two other screws hold the board to the case and after
removing those I can take it out. There are wires from the board to the power
plug and a coax cable to the F connector for the coax cable.
There is probably a main system on a chip (SoC) but it's hiding under a
heatsink. Most components are surface mount devices (SMD).
On the other side of the board I see a RTL8201EN ethernet chip near the
RJ45 network connector. And an EM638165TS-6IG chip which turns out to be
64 Mbit of Synchronous DRAM. And a 25L3206E, 32 Mbit serial flash.
For now I have no idea if this device has a UART somewhere. The only row
of 4 small soldering pads didn't give me continuity to any part that I
thought would be at the electric ground level so no idea whether that is
the UART or not.
Although there are two units they don't want to talk to each other over a coax
cable with F connectors. The manuals I can find state clearly that they want to
see a Corinex Ethernet over cable master device. The person that gave them to
me has experience with these devices and their implementation of the standards
and stated to me Corinex ethernet over cable devices only talk to Corinex
ethernet over cable masters.
From a perspective of security research I only touched the surface of the
security research on the Corinex CXWC-HD200-WNeH and the
Cab.Link CLS-D4E2WX1
by finding default credentials for telnet.
To get a further insight I need to first enumerate the network attack surface
completely. What services are running, what programs run those services.
The ultimate step would be to build an emulation environment where I can run
the programs from the routers under my control and find out about the programs
and get a first few steps into reverse engineering. With qemu it is possible to
emulate MIPS systems on x86 hardware, so I can build a test environment.
It would need some work to get old enough versions of code and kernels to
create a compatible environment. The Corinex router mentions compilation in
2012 but with Linux kernel 2.6.21 which was released 25 april 2007. The
Cab.Link router mentions compilation in 2013 but uses Linux kernel 2.6.31 which
was released 9 september 2009.
After getting a good look at the
Cab.Link CLS-D4E2WX1
from the outside it was time to void the warranty and open the box. The
two screws are hiding under the little rubber feet at the front side and
after removing those two screws the case opens with a bit of jiggling.
This device has an external 12 volt 1 ampere power supply.
Chips found on the board:
Qualcomm QCA7411L-AL3C - Homeplug AV / IEEE 1901 the ethernet over cable interface I guess
I also see an extra board (leftside of the picture, blue) where the u.fl cable
to the wifi antenna starts. It has a few larger chips but those have a label
over them. I guess one of them must be the CPU because I haven't seen a chip
with that function yet.
The makers of the Cab.Link CLS-D4E2WX1 were kind enough to include 4 pins
labeled J30 (bottom left of the picture) which are a very obvious candidate for
being the uart port. Again the process for find GND, TX, RX and Vcc was done
and the right pins found. With the board in front and the J30 readable the pins
are from left to right TX, RX, GND and 3.3 volt. I name the TX and RX pins from
the view of the system, so I see data transmitted on TX and I send data to RX.
The earlier Ethernet over Cable modem/router I poked at didn't come alone,
from the same source I also got a Cab.Link CLS-D4E2WX1 cable modem/router.
Doing a search for it finds actual listings for trying to order them
wholesale: Buy Wholesale China 7400-eoc Slave Modem, Separate Tv And Ethernet From One Cable, 4 Ethernet Ports Output & 7400-eoc Slave Modem at USD 127 | Global Sources
and Eoc Male Slave 4 Ethernet Port With Wifi - Buy Eoc Esclavo Product on Alibaba.com.
Both listings call it an EOC slave. Given the terminology I expected EOC
master devices to exist as well and I soon found out those exist and can be
pricey. So I'm not going to spend money on this subject, but I may be
interested in recycling an EOC master unit.
The unit has one external wifi antenna, 4 ethernet ports, external power
supply 12V and 9 leds. The cable connection is via 2 female F connectors with
one labeled 'Cable' and one labeled 'TV'. I do notice the case has a lot of
ventilation holes.
On the underside is a label with the manufacturer name, model name, a
default equipment management IP 10.10.1.250, a Wireless Network Name
'wifi' and the EOC and Wifi Mac addresses as numbers and barcodes, and
the serial number as number and barcode. The unit has four little rubber
feet (full LRF support) and two of those are hiding screws to open the unit.
On switching the Cab.Link router on I indeed see a wifi network appear with the
name 'wifi' which on connecting gives me an IPv4 address in the 192.168.1.x
range with the default gateway 192.168.1.1.
Cab.Link CLS-D4E2WX1 router underside
The Cab.Link router has a web interface listening on port 80. It directly asks
for http authorization but using admin/admin for username and
password gets me right in. Up until now I haven't found any reference to PLC or
EOC in the webinterface.
The Cab.Link also has a telnet server running on port 23. It greets me with
an OpenWRT banner but the first few attempts at finding username/password do
not let me in:
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
WARNING: telnet is a security risk
OpenWrt login: admin
Password:
Login incorrect
OpenWrt login: root
Password:
Login incorrect
OpenWrt login:
I closed the case of a vulnerability in the Corinex CXWC-HD200-WNeH
with a confirmation from the vendor that this is a device completely out of
support. Which confirms the public information I found
when I started looking into this device.
This was all related to the course in hardware hacking I took and applying
the new knowledge.
So now I can look back on this experience and think about my future here.
Hardware hacking has serious links to my current job as technical security
specialist. In my work I regularly have to look at vulnerabilities and assess
the chance and impact of misuse of the vulnerability. With hardware hacking
I find vulnerabilities by researching hardware. This helps me understand the
chance and impact factor of other vulnerabilities.
There is also a link to my education: part of that was MTS electronics. I
learned how to solder, before SMD components were a thing and I think I got
some explanation about switching mode power supplies at the end. As I got into
computers I didn't do much with this education but the last years in amateur
radio have made me get out the soldering iron again.
There is a clear link to my hobby of amateur radio. My interest in amateur
radio is linked to wanting to know how things actually work. Hardware hacking
is also done with RF signals so I may get into more RF related hardware
hacking.
My current thought is that I want to continue in this subject. It's given me
joy: getting into a device in new and unexpected ways gives joy! I have learned
new things. I noticed I need to feed the brain regularly with new information
and actually learning something new is much better brainfood than browsing
social media. At the same time social media is the way to learn
more about this subject and interact with other people interested in this
subject. I ended up on /r/hardwarehacking on reddit
and already learned from others and shared some of my own insights!
There is the thing about RFID/NFC security. I have looked into this in the
past, mostly by getting the tools to peek into the MiFare classic cards. I am
considering going further with this area of hardware hacking. Prices of hacking
tools for this area like the proxmark3 or the flipper zero are above the 'nice
to try a few things' level. On the other hand I think I could have loads of fun
there, and the overlap with amateur radio is very clear.
At the end of this bit of writing: thanks to people who share their hardware
hacking experiences on-line! Thanks to Jilles
Groenendijk, Router Archeology: Sitecom WL-330 - Habbie's journal,
@Flashback Team on youtube,
Make Me Hack on youtube,
and Boschko Security for sharing
their stories and knowledge.
Somewhere between the digging in the Corinex CXWC-HD200-WNeH I found a
vulnerability. A combination of a misconfigured network filter and a default
account make it quite easy to get into the device and get full access.
I tried to report this vulnerability before publishing about it. Timeline:
24 September 2022 I mailed a general address at Corinex about this
29 September 2022 I mailed someone who wrote about Corinex devices in the
Netherlands
28 October 2022 I tried to contact @CorinexCorp on twitter via a mention
All this got exactly zero response.Update 2022-11-17: @CorinexCorp responded on twitter:
Hi Koos. Apologies for a lack of response. Corinex no longer supports CXWC-HD200-WNeH devices. The company exited the consumer market many years ago.
Because this device is out-of-support for years now and should not be in
use anywhere anymore, I think I've invested enough effort in trying to
report this vulnerability to the right people and I can now publish this
and close this chapter.
On to the actual vulnerability. Like a lot of other vulnerabilities this is
a case of multiple things coming together.
Another attempt at trying to understand the Ethernet over Cable stuff in the
Corinex CXWC-HD200-WNeH that I have been working on. I found this on the
device:
# /app/plcStatus
Socket creation success.
Socket binding to vlan1 success.
Send success (22).
Send success (22).
Node type: 01
Ip address: 0.0.0.0
Parent mac: 00:00:00:00:00:00
Up speed: 00
Down speed: 00
Child count: 00
#
The use of 'plc' (PowerLine Communications) and the way this works suggests
to me this is indeed an ethernet-over-coax device (so no docsis). But I can't
figure out where the ethernet-coax bridge is. I thought plcStatus
would use some ethernet protocol to communicate with the bridge (just as
the devolo dlan tools do) but I can't find any trace of the traffic on the
wifi interface.